This account can be used during either MDT Lite Touch deployments using MDT or Zero Touch Deployments via SCCM.
The account requires the following permissions delegated on the OU’s/domain required using the Delegation of Administration wizard or (as in this example) by directly changing the security on particular OUs within the domain.
The account SHOULD NOT be given “Domain Admins” privileges.
In this example I will use a domain account called “CM_DJ” (short for ConfigMgr Domain Join) which starts out with no special permissions other than being a member of “Domain Users”. The account should be restricted from logging into computers via a GPO using the “Allow log on locally” User Rights Assignment item.
In order to view the Security tab in Active Directory Users and Computers enable “View Advanced Features” from the view menu.
The bullet points below summarise what permissions are required during deployment activities:
- Add/Remove new computers (“Bare Metal” scenarios)
- Update existing ones (“Refresh” scenarios)
Open the security tab of the OU you want to give permissions on – this can be done at the domain level if required but for security reasons it is best to limit this to certain parts of Active Directory.
Right-Click the relevant OU and select Properties.
Navigate to the Security tab.
Click on “Advanced“.
Click on “Add” and browse to your account e.g. TESTLAB\CM_DJ (DomainName\JoinAccount)
Choose the following settings:
Choose “This object and all descendant objects”
- Create Computer Objects
- Delete Computer Objects
Click “Add” again and once more select the “JoinAccount” user.
This time, limit the “Apply Onto” scope to “Descendant Computer objects” and choose the following settings:
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Change Password
- Reset Password
- Validated write to DNS host name
- Validated write to service principle name
Once this has been done the “JoinAccount” (in this example TESTLAB\CM_DJ) will have the required permissions to add, modify and remove computer accounts in the locations you specify and nothing over and above that.
## Edit 09/03/2017 ##
Updated to reflect the updated GUI in Windows Server 2012 and later.
## Edit 24/02/2015 ##
To automate this process, check out Johan Arwidmark’s blog where you can download a script that he and Mikael Nystrom wrote to automate the permissions required:
Thank you for this. I have been looking for minimal settings for hours now. Your page had exactly what i was looking for.
I like the valuable information you supply to your articles.
I will bookmark your weblog and take a look at once more right here frequently.
I am relatively certain I’ll learn many new stuff proper right here! Good luck for the following!
Pretty! This was an extremely wonderful article. Many thanks
for supplying this info.
Its like you read my mind! You appear to know a lot about
this, like you wrote the book in it or something.
I think that you could do with a few pics to drive the message home a little bit, but instead of that,
this is wonderful blog. An excellent read. I’ll definitely be back.
You really make it seem so easy along with your presentation but I find this
topic to be actually one thing which I think I might
never understand. It sort of feels too complicated
and extremely vast for me. I’m having a look ahead on your next publish, I will attempt to get the cling of it!
Pingback: Permissions for MDT deployment account | Technology Librarian Does Stuff
Wow, that’s what I was seeking for, what a material! existing here at
this blog, thanks admin of this site.
Pingback: Using Citrix PVS to stream Linux VDA (RHEL 7 Workstation) | magicalyak
Pingback: Using Citrix PVS to stream Linux VDA (RHEL 7 Workstation) – magicalyak
Excellent blog post. I absolutely love this website.
Continue the good work!
Do the Computer Hostname needs to be prestaged?
No they don’t.